Protocol

By cliangNo Comments
Protocol requires proper data format and valid ranges in different preset fields per design to work properly. Threat actors are trying to manipulate the different fields and data ranges in order to exploit weakness of underlying process to handle the protocol. Just like the illustrated locks. It allow dual admins to unlock it where each admin has own access key. If a "malicious" admin who does not follow the protocol to make the locks in series but putting them in parallel, then access is denied to other admin because unlock will require both keys at the same time. Therefore, when we talk about security, there are lots of considerations: robustness of the process enforceable by strong technology with people acting honestly and all driven by laws & regulations (or organization policies). Protection is beyond encryption, firewall, system hardening. These are evadable.Most said human is the weakess link. Yes, this is still true but we must include factors like Incompetent cybersecurity practitioners providing recommendations without...
Read More

Freedom

By cliangNo Comments
This is relatively speaking. Freedom is granted to certain extend. In physical world, what stops us doing bad things? It's the laws & regulations that stipulate us behave properly. For religious, there are further moral obligations to follow, say, The Ten Commandments. Then how about in the space of digital world? We are all interacting with others in the metaverse. Cyber crimes are more complex to settle because it is cross jurisdiction. We are free to use many cyber resources but that does mean we can abuse. Network activities are mostly traceable. We have to exercise the proper behaviors, be suspicious of unknown requests, learn from others' incident in keeping us as well as our connected peers safe (secure). ...
Read More

Defeated Control #2

By cliangNo Comments
Other than controls must be enforceable, controls must also be robust because a defeated control will be an access gateway by threat actor. Threat actors will try to evade controls to reach the jewel. Therefore, controls will need regular status check. In physical world, guard patrol is needed to observe the actual situation. With more assets staying in cyber, cyber controls will need regular verification to remain their intended purpose. This could be achieved via multiple means depending on the protected value: Regular authenticated with time of date sequence to the central station Periodic assessment to validate if false positive or false negative Red team exercise as unannounced drill for readiness of the entire protection suite ...
Read More

Network #2

By cliangNo Comments
Digitalization needs things connected to deliver the business outcome. Without network, not much or even none can be achieved. And there won't be luxury nor feasible for a point to point dedicated end-to-end communication line. Therefore, the network part is always the focus for cyber risk due to no need to access physically the component and connectivity. But remember, other aspects like physical security, application controls, service provider management are equally important to secure the digital function. ...
Read More

FUD #2

By cliangNo Comments
Things outside your comfort zone or knowledge will generate FUD. There are always news exaggreating cyber risks causing severe consequence to certain organizations. Sometimes cyber threats are even just based on perspection with assumption threat actor has gained complete knowledge or your environment and yet skill to achieve this is very complex. As competent cybersecurity practitioner, we must assess the threat situation, what are controls in place and provide management comfort rather than spending unnecessary resources to protect something that does not harm much. Every business exposes to risks and we cannot eliminate all risks but to prioritize the limited resources to maximize protected values. ...
Read More

Seasonal Factor #2

By cliangNo Comments
The Ice Road only opens Jan-Feb Anomalies detection highlights the technology will learn your environment as baseline reference such that "unusual" traffic will be flagged for alert. This will save detection ruleset definition but vendor always stresses short learning time (even just 1 or 2 weeks) to convince deployment for quick win demonstrating ROI. Sometimes, network traffic or application behaviors are seasonal based because of the business operations. Therefore as always, recurring maintenance efforts are required to sustain its effectiveness and don't be influenced by vendor for zero-deployment and zero-maintenance. ...
Read More

Isolation

By cliangNo Comments
By common sense, systems isolated from the network will have immunity from cyber attack over the wire but still be vulnerable to infected removable media upon physical insertion. Just like the boat above. You don't worry about attack from sharks but what about crocodile in shallow water? As cybersecurity practitioner, we must have holistic understanding of the target operating environment, business objective and adverse consequence. We should not simply say my roles look after architecture and other issues need to talk to relevant team mates regarding cyber risks, cyber operations etc. With complete understanding, impose viable (not necessarily technical) controls for high impact consequence by reducing likelihood as much as practical. Don't just follow textbook knowledge - these are for reference only and must be digested what is applicable in own environment for helping asset owners with recommended optimal investment rather than overkill. Adding controls only creates complication and does not guarantee more secure. Indeed, more controls will demand...
Read More

“Insecure” Tunnel

By cliangNo Comments
Older TLS (Transport Layer Security) version is marked insecure by vulnerability scanner. Certain cybersecurity practitioners make decision solely based on scanner report and blindly to urge system admin to "fix" it without looking at the big picture. The vulnerability scanner has zero knowledge on the system landscape, criticality of the system being evaluated and most importantly where is the scanner placed in the network. Good practice is to assess the big picture, mark these are non-issues and forget it if it is just an internal system in isolated environment. Resources should be deployed on more important things. ...
Read More

Coverage

By cliangNo Comments
Security technology alone cannot reassure protection. It requires human judgment: What is the value of target being protected? Risks to low value asset or low business impact are simply accepted as part of the operating cost. Example is the anti-theft RFiD tags.How is the controls deployed? Is the control in place properly? Gap in control will leave a loop-hole.Most importantly, how is the control operated and sustained to maintain its effectiveness? Adding controls does not increase security sometimes but incur unnecessary overheads or activities that overkill the purpose. A comprehensive assessment from design, build, deploy, regular validation is required through out the life cycle of the deployed cybersecurity protection. ...
Read More

Unnecessary Control #2

By cliangNo Comments
Control must be enforceable. If control can be circumvented or bypassed, then there is no point to deploy such control. That's why we need to keep updating the system, infrastructure to sustain their effectiveness over time due to emerging threats are out. There are many examples out there in the cyber world. Attack and defense are competing each other. Once in the digital journey, allocate resources to address multiple aspects to stay secure: Collect threat intelligence and their impacts to own environmentAssess operation risks to prioritize protectionMaintain workforce competency and situation awarenessRefresh technology obsolescenceEstablish achievable and enforceable cybersecurity directives ...
Read More